Bug Bounty programs are becoming a solid part of the corporate world, where cybersecurity amateurs and professionals “compete” to audit companies’ systems, networks, and devices in the search for vulnerabilities.
Paid rewards depend on its difficulty. And because cybercriminals get fancier tools and more knowledgeable with every passing year, the protection against them must harden as well.
The harder the bugs to find, the better payday you’ll get.
How does Bug Bounty Programs Work?
As a “bug bounty hunter” your task is to find as many loopholes inside the brand’s website and both the software and hardware used. You could firm your participation into one as an employee, freelancer, or consultant.
Of course, there are a few requirements to apply and a couple of other rules for the execution (as documenting the detection and exploitation of the vulnerability). You will only get the well-deserved reward by providing proof of what you’ve done.
There’s not much needed to apply. With your desktop computer or laptop, a solid internet connection, skills, time, curiosity, and enough patience, you will become successful in doing it.
Don’t hold down if you don’t feel capable of it. There are Bug Bounty programs for all levels, and learning what the essentials won’t cost you a dime with the help of uncle Google.
You can start as a practitioner for a few hundred or even for free. That way you’ll get more skills and experience that million-dollar challenges ask for.
“Shoot for the moon. Even if you miss, you’ll land among the stars.” – Norman Vincent Peale
Big-cash bug bounty drives ethical hackers and high-level IT technicians to achieve excellence for what’s perceived as 2.7x times a full-time salary in similar roles.
To give you an example: The average Bug Bounty rewards were around $3,384 in 2018. And HackerOne paid close to $19 million in rewards (also in 2018 alone).
Combined with BugCrowd, their list of active programs has reached +700 since then.
Of course, this is not a get-rich-fast scheme. This is a hard task from big companies.
You can visit the list for yourself. Or check a few I found interesting:
Here’s an entire official list with all attractive Bug Bounty programs to participate in (if you’re into it)
Since November of 2010, you can be part of the GVRP, that cover all Google-owned web properties and services, including most of the Android systems and devices.
Bugs to-be-found inside the Google Cloud Platform developed ads and extensions, as well as smartphones (Pixel 2, 3, and 4 (including XL for all)) and home hardware devices (Home, OnHub, Nest).
The reward program includes domains *youtube.com and *blogger.com.
Rewards go from $100 for low impact abuse methodologies, up to $1,000,000 for cod execution on the Pixel Titan M.
Are you qualified to submit your detections of Microsoft domains and endpoints?
If you are, you can be rewarded $500 to $20,000 according to the severity and impact of the vulnerabilities. Click on the links above to set up your test accounts.
3) Facebook and its programs ecosystem
The social media behemoths are part of the platforms covered by Facebook’s Bug Bounty program. Other qualifying products to report to are: FB LIte, WhatsApp, Instagram, Oculus, Workplace, Portal, and Express Wi-FI.
There’s a minimum reward of $500 but there’s not an estimated max limit.
Its value goes along with its severity and creativity needed. Although “extremely low-risk issues may not qualify at all.”
4) Alibaba & Aliexpress
These two runs by the same parent company, therefore, provide the one set of guidelines. To be clear, the Alibaba Vulnerability DIsclosure Program works have two levels to focus on:
The first one is Core Business (products and services related to buyers and sellers) and the Normal Business layer (for those non-related to product and services of in-scope domains).
Rewards vary between $30 to over $8,000 per vulnerability.
Amazon customers and web security researches can participate on this program to disclose bugs on their mobile app and web browsers. Countries eligible for the marketplace are: .com, .uk, .jp, .de, .fr, .mx, .es, .in, and .ca.
Smaller “issues” can be reported but without a paid reward on front. Instead, the amounts go from $100 for low-risks bugs, up to $15,000 for critical ones.
6) Chrome Vulnerability Reward & Mozilla Security Bug Bounty programs
To begin with, the Chromium parent company offers a minimum reward of $500 and a max range of $150,000. It targets bugs on Stable, Beta, and Dev channels. As well as bugs in 3rd-party components as Adobe Flash and Linux kernel.
In the case of Mozilla’s bug bounty program, they must attend vulnerabilities found on Aurora, EarlyBird, and other Mozilla-central services releases, like Firefox.
Their cash reward is $3,000, plus a Mozilla T-shirt.
Both job board platforms have founded their vulnerability reward programs since years ago, but due to the rise of cyber threats emerging from the COVID-19 event, they came back (Indeed with bigger paydays, and Glassdoor with lower ones).
You must always provide a clear attack scenario for them to confirm it’s eligible. So documenting the steps for clear replication and additional recommendations will give you extra points.
Minimum rewards for Indeed are $200 and $10,000 for max. The Glassdoor minimum is $100 and $2,500 is the max.
Have you seen one that interests you to get in or replicate for your own company?
If you are the owner of big business, then you already know enough of the threats wandering around on the world wide web, and some of the precautions to make.
And maybe you know, or maybe you don’t… But it’s almost impossible to get a perfect cybersecurity architecture. If you have the budget, you can set up yours.
Of course, no results are guaranteed if you don’t have capable cybersecurity experts around you (giving you insights and pointing you when it works and it doesn’t).
Besides, launching a bug bounty program is getting stranges into your “house”, which I don’t recommend as the best option.
What can you do instead?
I invite you to talk about it… At no cost.